Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Ask Wordfence Episode 1: Setting Up Minimum Viable WordPress Security

Last week we emailed a small group of our customers asking them to contribute questions for a series of videos we will be running. We received questions from many of you, so thank you very much for participating!

Today we are publishing Episode 1 of “Ask Wordfence,” where we discuss one of the questions we received: how to set up minimum viable security for WordPress.

You can watch the episode here on the blog, or find it on YouTube.com. Remember to hit “subscribe” on the video on YouTube if you would like to view the rest of the videos in the series.

As always, I welcome your comments below.

Video Transcription

Hi there, my name is Mark Maunder I’m thefounder and CEO of Wordfence and todaywe’re starting something a littledifferent. Last week we sent out a surveyto see some of our customers asking themto send us questions that they’d like us to answer on video. So this week we’re starting off with episode 1 where I’m going to answer one of the questions we received and we’re gonna start up today with a question from Victor in New York who asks:

“What would you consider minimum viable security for a wordpress website?”

Thanks Victor that’s a really great question and it’s going to take me a fewminutes to answer it because there are afew steps in the process of securing your WordPress website. So withoutfurther ado let’s just dive straight in.

Step 1: Choose a good WordPress hosting provider to ensure that you have good account isolation.

The first thing I do is I’d make surethat I’m using a reputable host becauseit’s very important that you haveisolation between accounts on a sharedhosting provider. If a host doesn’tprovide good isolation between accounts, what that means is if an attackercompromises one account on a sharedserver they can also access otheraccounts on that same server and you getthe kind of cross contamination. So it’svery important that you choose a hostingprovider that knows how to correctlyconfigure their permissions on theirservers so that you don’t havecross-contamination if one of theaccounts is hacked on that server.

It’svery rare to see a hosting provider thatdoes not have good account isolation butwe do see it about every month or two.It’s usually newer hosting providers andsmaller hosting providers as well. Thatdoesn’t mean you shouldn’t choose asmall host. There a lot of really reallygreat small hosting providers out there.Just make sure that they’ve been inbusiness for a little while so they’veironed out all the bugs and of coursethat they have a good reputation.

Step 2: Install the newest versions of WordPress core and the theme and plugins you need. Only install what you need and use a reliable source.

The next thing one needs to do is ofcourse install WordPress core. And youalways want to choose the newest versionof WordPress core when you’re installingWordPress because the older versionshave no known vulnerabilities. And if youinstall an older version it’ll almostcertainly get hacked because attackerswill exploit those vulnerabilities. Soalways install the newest version ofcore available at wordpress.org.

Ofcourse then you need to install yourplugins and your themes. You’ll usuallyjust have one theme and you’ll have multiple plugins, let’s say 5 plugins. Always get those plugins and that theme from a reputable source. Get them from wordpress.org or your plugins and your themes froma good reputable commercial providerbecause there’s something called a nulled plugin or a nulled theme. Whatthat is is an attacker downloads areputable plug-in and theyput their own malicious code in it andthen they throw it up on their ownwebsite which looks like a legitimatesite but actually it’s not. When youdownload the plug-in from there you’regetting code that’s already been hackedand your system is then compromised andyou’ve got a real mess on your hands. Somake sure you get your plugins and yourthemes from a reputable source.

Then ofcourse you have to keep everything up todate. Security is not a single event youdon’t go in and just secure a website ora system you actually have to have aroutine, let’s say a weekly routine. Soevery few days or every week go in andmake sure that everything is up-to-datethat everything’s secure if you’ve gotWordfence installed it of course it’llsend you emails letting you know you’vegot a theme or a plugin that’s out of date or if core needs to be updated andall. It’ll send you all sorts of otherhelpful alerts related to security somake sure you keep an eye on thosealerts and actually respond to them.

Step 4: Use strong passwords and don’t reuse them. Use a password manager like 1Password if you need to.

Thenext thing that one should do if you’resetting up minimum viable security isyou need strong passwords. That meansthat your passwords need to be complex.If you’re setting up anadministrator account on WordPress werecommend that you have a passwordlength of at least 12 characters andthat you choose from lowercase lettersuppercase letters numbers and symbols.That way you’ll have a password that’scomplex enough so it’s very difficultfor an attacker to crack your passwordif they happen to download the hash ofyour password.

Also use unique passwordsacross all of the services that you use. Thereason you should do this is because ifone of those systems is compromised, the first thing the attacker does isdownload the user accounts database andtry to use those accounts to log intoother services and compromise those too.So use unique passwords across all ofthe services that you use. I know that’sa lot to ask and it’s a real pain andit’s very very easy to remember oneshort password and use that samepassword across all of the systems. Butthis is really important. One ofthe tricks you can use isuse a password manager, like one password,to manage your passwords. The passwordmanager will generate a password for youthat’s very complex, long and hasmultiple characters in it. And then of course it’ll store it in a veryeasy-to-use database that you can thenaccess at some point.

If you reallyreally don’t want to use a passwordmanager you can also use a formula thatyou memorize and use to uniquelygenerate a complex password in your headfor each service that you use. That’s oneof the systems that I’ve used in thepast and it gives you a way to haveunique passwords across all systems. If your passwords complexenough then you’re in pretty good shape

The other thing you want to set up forminimum viable security on WordPress istwo-factor authentication. Two-factorauthentication is a way to ensure thatif your password is compromised there’sa kind of a another layer of defensethat that preventsthe attacker from getting into thesystem if they don’t have yourcell phone. You have two factors setup with your cell phone then they can’taccess the system even though they’vegot your password. This is one of thethings in information security that werefer to as a layered approach tosecurity. So you don’t just have a reallystrong password that’s unique across allsystems. You also have two factorauthentication setup so that there’skind of multiple layers of defense thatyou have to help you stay secure.

One ofthe other things you want to do isdelete unused accounts. And before Iforget Wordfence actually providestwo-factor authentication, so you can useWordfence for two-factor authentication.

The other thing you want to do is deleteyour unused accounts so don’t have a whole bunch of accounts lying around onyour your WordPress website. Only havethe accounts that you’re actually goingto use. So only administrator accountsthat you’re actually going to use andthe other all the other accounts shouldbe used. If you have old accounts on thesystem that aren’t used anymore makesure you delete them or disable them.

This is part of something in information security we call theprinciple of least privilege. You onlyprovide access to people whoactually need access to a system andwhen you do provide access you want togive them the the minimum access levelthat you can get away with that stillallows them to do their job.

So don’t, forexample, create a bunch of administratoraccounts for people who are justcontributing content to your website.Instead create a lowerlevel account so that they’ve only gotthe access that they need. That way youdon’t have all these other administratoraccounts that you then need to secure. Soagain that’s called the principle ofleast privilege and it’s a reallyeffective strategy that’s used withininformation security outside of theWordPress space.

Don’t use default account names. Renameyour admin account to something else andif you have any other obvious accountnames that have administrator privileges you might want to consider renaming them.This is something else as well that justgives you another one of those layersthat I mentioned where if an attacker istrying to guess the password for aparticular account they have ahard time time figuring out what theusername is because it’s no longer justadmin.

Step 8: Configure backups for your WordPress site. Use backups that are ‘rolling’ and ‘segregated’.

Now another thing that’scritically important when you’resecuring your WordPress site is backups.If your site is badly hacked and damagedbeyond repair you’re going to want to beable to restore it somehow. So either getbackups from your hosting provider oruse a service like UpdraftPlus. Fullbackups now the kind of backups e1 arewhat we call rolling segregated backups.That means that the backups are rollingso you get a backup every day or everyfew days and you can actually go back intime to a point in time and restore yoursite when it was still in working order.

So for example if your site is hacked ona Monday and you only discover it on aThursday if you only have a backup fromWednesday because every day your backupsare overwritten well that’s the site washacked at that point already so you’reup the creek and you can’t repair yoursite. So you need to have backups that gofurther back in time that you can use torestore your site.

Now I said rollingsegregated backups. Segregatedmeans that your backups are alsoseparate from your website if you haveyour back if your site’s backed up andthe backup file is actually on your sitethe hacker can come in and hack yoursite and destroy the backup as well soyou no longer have a backup so thebackup needs to be segregated so that’swhy we say you need rolling segregatedbackups for your WordPress website

Step 9: Leave automatic updates enabled.

ForWordPressautomatic updates should be enabled forcore. They’re enabled by default and whatthat means is that for minor versions ofWordPress, which often includessecurity releases, your site will be automaticallyupgraded to that security release. That’senabled by default so you shouldn’t haveto do anything to enable that, just don’tgo and disable it. It’s very veryimportant that you you leave thatenabled.

Step 10: Install a WordPress Firewall like Wordfence, for protection against emerging threats.

One of the most importantthings when it comes to securing yoursite and having minimum viable securityis to have a firewall installed.There’s a very specific reason you haveto have a firewall. You can take all ofthe other steps that I’ve mentionedwhere you’re keeping everythingup-to-date and so on, but sometimes whathappens is a vulnerability gets out intothe wild that is exploitable that meansthat a hacker out there knows of a wayto exploit a plug-in or a theme or evenWordPress core that allows them to gainaccess.Sometimes it takes developers some timeto fix that vulnerability and actuallyrelease the the fix to their customers.And during that time you’re vulnerableand you don’t have anything that you canupgrade to to protect yourself and sothat’s where the firewall comes in.

Wordfenceis an excellent firewall. It’s the mostpopular firewall for WordPress and ithas generic protection in there againstcross-site scripting, against sql injection and a variety of other attacks.That will protect against certain zero-dayattacks and protect you during thatwindow while a developer is workinghopefully as quickly as they can to geta security fix out and when the fix isactually released so it’s criticallyimportant that you have a firewallinstalled.

Of course Wordfence Premiumgets real-time updates so as soon as wehear about a new vulnerability or onegets reported to us or our researchers discover one we immediatelyrelease a fire will rule in real-timeand protect you during that time thatthe developer is working very quickly toget that patch out there.

Step 11: Install a malware scan Wordfence includes the most popular malware scan for WordPress. Free!

The other thingyou need of course is a malware scan. Themalware scan is your last line ofdefense if your site is somehow hackedeven though you’ve been keepingeverything up to date and it somehowmanages to get past your firewall. Themalware scan will detect that there’smalware on your system or thatsomething’s gone wrong and will let youknow so you can come in and very veryquickly react and use one of thoserolling segregated backups that Imentioned to restore your site and getback into good shape.

Well that’s aboutit we have a really helpful checklistyet in our learningCenter that you can use and it has manyof the items that I’ve mentioned onthere. I’ll include that URL in the notesthat go with the videoand if you want to learn more aboutWordPress security just visit wordfence.com/blog for our blog and or /learn for our learningcenter which includes a lot of a reallygreat content on WordPress security bothadvanced and beginner topics.

Hello Paul! We'd love to help you with this issue, but we're unable to offer support via blog comments. If you're a Premium customer, please do send in a support ticket by logging in to your Wordfence.com account and clicking "SUPPORT" in the main menu. If you use the free version of the plugin, our support team is ready to help and discuss this with you in the WordPress support forums, as well. Thanks!

Hi Mark
THANK YOU - as always - stellar information!
One minor omission: you said you would include checklist link in the notes - I don't see it in the notes and it is an excellent checklist:
https://www.wordfence.com/learn/wordpress-security-checklist/

Mark...enjoyed putting a name with a face in this new video series. Well done. While some of your blog topics covered in the recent past would be hard to explain in a video, I do like the idea of WordFence creating "Security U" (Security University), in which you create a series of higher-level instructional videos on website security. Google has done a pretty good job with video instruction on Tag Manager, Data Studio, etc. With WordFence being the expert on website security, a video series on these cyber-threats would be really beneficial to those of us who want to dive deeper into security-related issues.

Thanks again for all your efforts in both words and video. I'm sure all of us in the WordPress/WordFence community appreciate it.

I'm going to share this as it's really easy for beginners to grasp and hits all the main important points. Love how you guys do great investigative reporting and helpful tutorials like this, in addition to your great free plugin. Sign of good company culture.

Nice work! I'd like to add one comment/question. Being that NIST no longer recommends SMS based auth for MFA because of many known SMS issues--- is there a plan for Wordfence to support Google Authenticator, Authly/Duo or any physical token options like YubiKey or others?

Great video and congrats on the launch of this series! This is definitely another useful way for us all to absorb the ongoing information that is needed to ensure the utmost security with WordPress and in general. Thank you and your team as always for your valuable tips and insight!

Is there a transcript?
I have no doubt that there is some great and vital information here that I want to see. I'm not interested in watching a video - I want to see a transcript or read the info in a blog post.

To: Jim Martin, I do support the idea of a regular security video series by wordfence. There is already a great resource, though. It‘s a podcast named „Security Now“, available for free on iTunes, and on twit.tv. I recommend it to everyone I know.